Worm.Aimdes.c
病毒别名:IM-Worm.Win32.Aimes.C[AVP]
处理时间:
威胁级别:★★
中文名称:
病毒类型:蠕虫
影响系统:Win9x / WinNT
病毒行为:
这是一个通过AIM传播的蠕虫病毒。该病毒会在特定目录下寻找AIM并运行,然后给AIM好友发送信息:“Hey I went to a wild party last
week! checkout the pics!!!!”,并发送文件文件C:\party!!.pif,以此进行传播。病毒还修改注册表禁止任务管理器和注册表编辑器,尝试调用TaskKill关闭某些系统进程,并对某个网站发动攻击。与变种B不同的是,该变种增加了邮件传播的感染方式,病毒冒充安全软件公司symantec,向外发送携带病毒副本的邮件。
1.释放文件。
将自己复制为以下文件:
C:\Windows\sys32dll.exe
C:\party!!.pif
2.修改注册。
修改添加注册表键值:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sys32dll
"<病毒全路径>C:\Windows\sys32dll.exe"
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\
"NoAutoUpdate"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\security center\
"FirewallDisableNotify"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\security center\
"UpdatesDisableNotify"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\security center\
"AntiVirusDisableNotify"=dword:0x1
HKLM\Software\Microsoft\security center\
"FirewallDisableNotify"=dword:0x1
HKLM\Software\Microsoft\security center\
"UpdatesDisableNotify"=dword:0x1
HKLM\Software\Microsoft\security center\
"AntiVirusDisableNotify"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableTaskMgr"=dword:0x1
"DisableRegistryTools"=dword:0x1
删除注册表键值:
HKLM\software\Microsoft\windows\currentversion\run
"windows auto update.exe"
3.终止系统进程(Win XP以上系统):
TASKKILL /T /F /IM SVCHOST.exe
TASKKILL /F /IM LSASS.exe
4.并对某个网站发动攻击。
5.尝试运行AIM:
C:\Program Files\AIM\aim.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AIM95\aim.exe
给AIM好友发送信息:“Hey I went to a wild party last week! checkout the pics!!!!”,并发送文件文件C:\party!!.pif,以此进行传
播。
6.搜索本地磁盘中扩展名为一下的文件中的邮箱地址,然后向搜索到的邮箱地址发邮件,以病毒副本为附件。
标题可能为:
New worm on the looser please read
Blaster strikes again...please read!
New Computer Virus Protection!!
Read this please!
Read it!
Family Album
Antivirus Update
Protect your SYSTEM from new viruses!
Destroy Blaster
Read this for your PC's safety!!
发送人:securityresponse@symantec.com邮件内容为:
Dear user, a new variant of the worm 'Blaster' has been released a week ago!
It's spreading faster than it ever did, this version of Blaster has been classified as 'Category 5'.
Please click on the following link to understand how bad is a worm classified in Category 5:
http://securityresponse.symantec.com/avcenter/threat.severity.html#category
Symantec has developped a new 'patch' file which will prevent the new variant of Blaster to be executed and keep your system safe and clean.
The Patch file can be found in the attachment, please make sure you install it before being infected, because if you're already infected, the patch file cannot fix/remove this type of threat as it's not yet studied quite good. Symantec strongly recommends you to download and install the patch file before it's too late!
Symantec will soon release the 'Removal Tool' for this threat.
So if you don't often visit Symantec.com, we recommend you to visit us everyday to be in touch with the news of this type of
threat.
P.S: We would like to thank Mr.Bazzi for making this patch file.
Regards,
处理时间:
威胁级别:★★
中文名称:
病毒类型:蠕虫
影响系统:Win9x / WinNT
病毒行为:
这是一个通过AIM传播的蠕虫病毒。该病毒会在特定目录下寻找AIM并运行,然后给AIM好友发送信息:“Hey I went to a wild party last
week! checkout the pics!!!!”,并发送文件文件C:\party!!.pif,以此进行传播。病毒还修改注册表禁止任务管理器和注册表编辑器,尝试调用TaskKill关闭某些系统进程,并对某个网站发动攻击。与变种B不同的是,该变种增加了邮件传播的感染方式,病毒冒充安全软件公司symantec,向外发送携带病毒副本的邮件。
1.释放文件。
将自己复制为以下文件:
C:\Windows\sys32dll.exe
C:\party!!.pif
2.修改注册。
修改添加注册表键值:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sys32dll
"<病毒全路径>C:\Windows\sys32dll.exe"
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\
"NoAutoUpdate"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\security center\
"FirewallDisableNotify"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\security center\
"UpdatesDisableNotify"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\security center\
"AntiVirusDisableNotify"=dword:0x1
HKLM\Software\Microsoft\security center\
"FirewallDisableNotify"=dword:0x1
HKLM\Software\Microsoft\security center\
"UpdatesDisableNotify"=dword:0x1
HKLM\Software\Microsoft\security center\
"AntiVirusDisableNotify"=dword:0x1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableTaskMgr"=dword:0x1
"DisableRegistryTools"=dword:0x1
删除注册表键值:
HKLM\software\Microsoft\windows\currentversion\run
"windows auto update.exe"
3.终止系统进程(Win XP以上系统):
TASKKILL /T /F /IM SVCHOST.exe
TASKKILL /F /IM LSASS.exe
4.并对某个网站发动攻击。
5.尝试运行AIM:
C:\Program Files\AIM\aim.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AIM95\aim.exe
给AIM好友发送信息:“Hey I went to a wild party last week! checkout the pics!!!!”,并发送文件文件C:\party!!.pif,以此进行传
播。
6.搜索本地磁盘中扩展名为一下的文件中的邮箱地址,然后向搜索到的邮箱地址发邮件,以病毒副本为附件。
标题可能为:
New worm on the looser please read
Blaster strikes again...please read!
New Computer Virus Protection!!
Read this please!
Read it!
Family Album
Antivirus Update
Protect your SYSTEM from new viruses!
Destroy Blaster
Read this for your PC's safety!!
发送人:securityresponse@symantec.com邮件内容为:
Dear user, a new variant of the worm 'Blaster' has been released a week ago!
It's spreading faster than it ever did, this version of Blaster has been classified as 'Category 5'.
Please click on the following link to understand how bad is a worm classified in Category 5:
http://securityresponse.symantec.com/avcenter/threat.severity.html#category
Symantec has developped a new 'patch' file which will prevent the new variant of Blaster to be executed and keep your system safe and clean.
The Patch file can be found in the attachment, please make sure you install it before being infected, because if you're already infected, the patch file cannot fix/remove this type of threat as it's not yet studied quite good. Symantec strongly recommends you to download and install the patch file before it's too late!
Symantec will soon release the 'Removal Tool' for this threat.
So if you don't often visit Symantec.com, we recommend you to visit us everyday to be in touch with the news of this type of
threat.
P.S: We would like to thank Mr.Bazzi for making this patch file.
Regards,
